Method and arrangement for authenticating a control unit and transmitting authentication information messages to the control unit

ABSTRACT

In a method and arrangement for authenticating a data processing system, first information is generated by a first data processing system and delivered to a second data processing system for a control unit. First data are transmitted from the second data processing system to the first data processing system over a data line, the first data being generated by the second data processing system with aid of the first information and additional information contained in the second data processing system. Second data are generated by the first data processing system depending on the first data and transmitted from the first data processing system to the second data processing system. Authentication information for authenticating the second data processing system is generated by the second data processing system with aid of the second data.

BACKGROUND

The preferred embodiment relates to a method and an arrangement forgenerating authentication information by means of which a dataprocessing system performs an authentication of a control unit. Thepreferred embodiment further relates to a method and an arrangement forauthenticating a control unit of an electrophotographic printing orcopying system.

Known electrophotographic printers and copiers have communicationinterfaces over which the control units and maintenance computers can belinked with the printer or copier for purposes of control, diagnosticanalysis, and maintenance. In particular, security related settings ofthe printer or copier can be changed with the aid of the maintenancecomputers. If such modifications are performed by insufficientlyqualified operators or unauthorized persons, e.g. over a networkconnection, the result may be a significant quality degradation anddamage or destruction of assemblies of the printer or copier.

In the case of known printers and copiers, a number of so-called userlevels are provided, whereby a user can select a user level and verifieshis authorization to select this user level by inputting a password.Furthermore, with known printers and copiers, unauthorized persons maybe able to acquire information about the structure and control structureof the printer or copier through unsecured access with the aid of thecommunication interface of the printer or copier. System parameters suchas meter counts of the printer or copier, which may be used for billingpurposes, can also be manipulated over the communication interface ofknown printers or copiers.

The European Patent EP 0 513 549 A2 describes an arrangement forcontrolling and transmitting data between a host computer and a copiercontrol, whereby the communication does not occur until the successfulidentification of the host computer with the aid of a password. Acontrol unit for communication control is also provided.

U.S. Pat. No. 5,077,795 describes an electronic printing system in whichthe security of user data and user programs is ensured with the aid of auser profile for each user. The user profiles are managed by a securityadministrator on site or at a remote location.

However, known access methods offer only an inadequate protection of theprinter's internal data and settings. In particular, a substantial riskassociated with passwords is that they can be spied on with the aid ofprogram modules that record the keyboard inputs. Another security riskassociated with passwords is that they must be delivered to therespective user, whereby it often cannot be guaranteed that unauthorizedparties will not acquire knowledge of the passwords during thetransmission and/or delivery of the passwords. Nor is there anyguarantee that authorized parties will not disseminate the passwords tounauthorized parties. An effective local protection of known printers orcopiers could only be achieved by preventing unauthorized parties fromgaining physical access to the communication interface of the printer orcopier. But in that case the print data could not be transmitted to theprinter over a network that is also linked to global networks such asthe Internet over which unauthorized parties also have access to theprinter. But such techniques also foreclose the possibility of remotemaintenance, remote diagnostic analysis, or remote control of theprinter by service specialists that are not on site.

SUMMARY

An object is to propose a method and an arrangement with which it iseasy to authenticate a data processing system.

In a method and arrangement for authenticating a data processing system,first information is generated by a first data processing system anddelivered to a second data processing system for a control unit. Firstdata are transmitted from the second data processing system to the firstdata processing system over a data line, the first data being generatedby the second data processing system with aid of the first informationand additional information contained in the second data processingsystem. Second data are generated by the first data processing systemdepending on the first data and transmitted from the first dataprocessing system to the second data processing system. Authenticationinformation for authenticating the second data processing system isgenerated by the second data processing system with aid of the seconddata.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block wiring diagram of a system for generating andtransmitting a key for authenticating a service and maintenancecomputer;

FIG. 2 is a control interface for requesting the key at an authorizationserver;

FIG. 3 is a block circuit diagram for the authenticating of the serviceand maintenance computer by a printer; and

FIG. 4 is an output window with a test message that is output in theevent of authorization failure.

DESCRIPTION OF THE PREFERRED EMBODIMENT

For the purposes of promoting an understanding of the principles of theinvention, reference will now be made to the preferred embodimentillustrated in the drawings and specific language will be used todescribe the same. It will nevertheless be understood that no limitationof the scope of the invention is thereby intended, such alterations andfurther modifications in the illustrated device, and/or method, and suchfurther applications of the principles of the invention as illustratedtherein being contemplated as would normally occur now or in the futureto one skilled in the art to which the invention relates.

What a method for authenticating a data processing system achieves isthat the second data are supplied to the second data processing systemin a very secure fashion, and with the aid of the second data, thesecond data processing system generates authentication information withwhich an authentication procedure can be advantageously executedautomatically without intervention by a human operator.

A second aspect of the preferred embodiment relates to an arrangementfor authenticating a data processing system. A first data processingsystem generates first information. The first information is sent to asecond data processing system of a control unit. The second dataprocessing system generates first data with the aid of the firstinformation and additional information that is contained in the seconddata processing system. The arrangement contains a data line over whichfirst data are transmittable from the first data processing system tothe second data processing system. The first data processing systemgenerates second data depending on the first data. The second data aretransmittable from the first data processing system to the second dataprocessing system over the data line. With the aid of the second data,the second data processing system generates authentication informationfor authenticating the second data processing system.

The effect of this arrangement of the preferred embodiment is that thegeneration and transmission of the second data for generating theauthentication information by means of the second data processing systemcan be executed easily and without complex user intervention.Furthermore, because the second data processing system generates theauthentication information with the aid of the second data, anauthentication of the second data processing system by an additionaldata processing system and/or the first data processing system is easyto realize.

A third aspect of the preferred embodiment relates to a method forauthenticating a control unit of an electrophotographic printing orcopying system. First data are stored in a first data processing systemof the control unit. The first data processing system generatesauthentication information with the aid of the first data. With the aidof authentication data the authentication information is transmitted toa second data processing system of the printing or copying system. Theauthenticity of the first data processing system is checked or validatedby the second data processing system. With the aid of the authenticationdata, access rights for the first data processing system are defined bythe second data processing system.

An authentication of the control unit and the defining of access rightsof the control unit are very easy with the method of the preferredembodiment. Complicated and costly user interventions by a humanoperator are not required in order to authenticate the control unit.

A fourth aspect of the preferred embodiment relates to an arrangementfor authenticating a control unit of an electrophotographic printing orcopying system. First data are stored in a first data processing systemof the control unit. The first data processing system generatesauthentication information with the aid of the first data. The firstdata processing system transmits authentication data to a second dataprocessing system of the printing or copying system, which data containthe authentication information. The second data processing system checksthe authenticity of the first data processing system, whereby it definesaccess rights of the first data processing system with the aid of theauthentication data. With this arrangement of the preferred embodimentan authentication of the control unit can be executed very easily by thecontrol unit of the printing or copying system. Such authentication doesnot require intervention by a human operator. Furthermore, with thisarrangement a very secure authentication of the control unit isperformed, and foreign or external access to the data processing systemof the printing or copying system is prevented.

FIG. 1 represents a system 10 for generating and transmitting a key 12that serves for the authenticating of a service and maintenance computer14 by an additional data processing unit of a printer which is notrepresented. The system 10 contains an authorization server 16 that islinkable with the service and maintenance computer over a networkconnection 18. The generation and transmission of the key 12 is alsoreferred to as an approval or enable procedure of the service andmaintenance computer 14. A data connection between the service andmaintenance computer 14 and the authorization server 16 is needed forthis approval procedure, for instance over network 18.

The authorization server 16 generates what is known as a transactionnumber (TAN). The transaction number is a series of numbers and/orletters that a human operator must enter at the service and maintenancecomputer in order to execute the approval procedure. The transactionnumber generated by the authorization server 16 is sent to the operatorby mail or e-mail. The operator is preferably a service technician fromthe printer manufacturer with a portable computer, a so-called notebook,as the service and maintenance computer 14. The service technician'sservice and maintenance computer 14 is referred to hereinafter as theservice notebook.

After receiving the transaction number by mail or e-mail, the servicetechnician starts a program module for executing the approval procedureon the service notebook 14. The service technician enters thetransaction number by means of an interface and starts the approveoperation. The program module detects a predetermined hardwareidentifier, for instance the serial number of the processor or of anadapter. A hardware identifier of this kind is also referred to as thefingerprint of the service notebook 14. The serial number andtransaction number are transmitted to the authorization server 16 overthe network connection 18. The authorization server 16 checks thevalidity of the transaction number and defines an authorization levelfor the service notebook based on said number, which will subsequentlydetermine the access rights of the service notebook 14 to the controlunits and databases of a printer when the notebook and printer arelinked.

The authorization server 16 also defines a validity date until which anauthorization by a printer is possible with the aid of the generated key12. A period in which a service notebook 14 can be approved with the aidof the transmitted transaction number is also defined. With the aid ofthe transmitted hardware identifier, validity date, and authorizationlevel, the authorization server 16 generates what is known as a key 12,which contains this information in coded form and/or by means of whichthis information can at least be checked. The key 12 is transmitted overthe network 18 to the service notebook 14 and stored in a memory area ofthe service notebook 14.

An approval procedure for approving the service notebook 14 is thusimplemented by means of the system 10. The key 12 that is stored in theservice notebook 14 as a result of this approval procedure contains thehardware identifier, expiration date and access rights of the servicenotebook 14 in encrypted form.

In other exemplifying embodiments, at least the hardware identifier, theexpiration date, and the access rights can be checked with the aid ofthe key 12. In other exemplifying embodiments the transaction number canalso be generated by a separate institution. The transaction number mustthen be sent to the service technician for entry into the servicenotebook 14 and entered into the authorization server 16. The networklink 18 according to FIG. 1 is a connection via a wide area network suchas the Internet. If an Internet connection such as this is chosen, thedata transfer occurs with the aid of a secure transmission channel.

Alternatively, in other exemplifying embodiments a point-to-pointconnection, e.g. by means of a modem, can be transmitted over a publictelephone network. In order to enhance transmission security, knownencryption methods can be used for data transmission. Furthermore, withthe aid of the system 10 a service technician can approve the servicenotebook 14 from an arbitrary location that is linkable with the network18. Thus it is also possible to approve the service notebook 14 from acustomer's telephone terminal or any other telephone terminal.

If the validity period of key 12 has expired, the service notebook 14must be reapproved. Reapproval is performed according to the sameprocedure described for the first approval of the service notebook 14.

Different keys 12 are generated and delivered by the authorizationserver 16 for different notebooks at the same authorization level.However, the authorization level and validity period can be determinedunambiguously from these different keys 12 without the respective key 12itself having to be known to a data processing system of the printerthat checks the authenticity of the service notebook 14. As a result, itis not necessary to inform all printers about which of the technician'snotebooks 14 and which other control units have authorization to accessthe database and/or control units of the respective printer. Such aservice notebook 14 is linked with a printer locally or over a networkconnection 18 as a control unit, it being possible to read the printer'ssettings and transmit modified settings to it by means of the servicenotebook 14, to operate the printer by means of the service notebook 14,and to run a diagnostic analysis of the printer or its assemblies bymeans of the service notebook 14.

For each individual parameter the authorization level until which a readand/or write access to this setting parameter is permitted can bedefined by means of the printer software or firmware. Write access tosetting parameters is advantageously allowed only to users with a highauthorization level.

FIG. 2 represents a control interface 20 for approving the servicenotebook 14. The control interface 20 is generated with the programmodule for approving the notebook 14 that was started by the technicianon the notebook 14 and output on a display device of the notebook 14.With the aid of this control interface 20 the operator can choose thetype of connection to the authorization server 16. The operator canenter or select the network address or, if the notebook 14 is connectedto the authorization server 16 over a network connection of the WorldWide Web of the Internet, the Internet address of the authorizationserver 16 in an input and output field 22. Alternatively, apoint-to-point connection of the service notebook 14 to theauthorization server 16 can also be set with the aid of a selectionfield 24 if, for example, the notebook 14 and the authorization server16 are linkable over modems with the aid of a telephone network. For apoint-to-point connection, the operator can enter the required data forthe setup of the point-to-point connection in the input region 26. Thesedata relate in particular to a log-in name and a password for setting upthe connection and a telephone number via which the authorization serveris reachable over the telephone network. A protocol is also selectable.

Region 26 also contains an output field in which the connection statusis displayed. A connection over the telephone network can be establishedwith the aid of a graphic button 28. An existing connection can beinterrupted with the aid of the graphic button 30, and the setup anddismantling of a connection can be interrupted with the aid of thegraphic button 32. The transaction number (TAN) that was sent is enteredinto input field 34. After inputting the transaction number, theoperator can start the registration process at the authorization serverwith the aid of the graphic button 36, whereby the program moduletransmits the transaction number and the number of the processor of theservice notebook 14 to the authorization server 16. The program modulecontains special program elements for detecting the serial numbers ofthe processor.

As described above in connection with FIG. 1, after checking thevalidity of the transaction number, the authorization server 16determines a key 12 with the aid of the processor's serial number andother information. After the key 12 is generated, it is transmitted tothe notebook 14. The key 12 is stored in a dedicated memory area of thenotebook 14. After the key 12 has been successfully transmitted to thenotebook 14, the button 38 is displayed as active that the notebook 14has been successfully approved. Activating the graphic button 38terminates the approval operation and ends the running of the programmodule for approval.

FIG. 3 is a block wiring diagram representing the authentication of thenotebook 14 by a printer 40. The notebook 14 is connected to the printer40 over a network connection 42. As explained above in connection withFIGS. 1 and 2, a key 12 is stored in the notebook 14, which containsinformation about the serial number of the processor, the validityperiod of the key, and the access rights of the service notebook 14.This information is preferably contained in the key 12 in coded form.Alternatively, this information can at least be checked with the aid ofthe key 12.

Before the notebook 14 receives access to setting parameters anddiagnostic functions of the printer 40, the printer 40 performs anauthorization of the service notebook 14. For that purpose, a programmodule of the printer detects the presence of the key 12 on the servicenotebook 14 and the authorization level of the notebook 14 over thenetwork 42.

The authorization by the printer 40 is preferably achieved through thechallenge and response technique. The printer 40 transmits a randomnumber to the service notebook 14. With the random number, the servicenotebook 14 performs a non-bypassable mathematical computation operationdepending on the key 12. The result of this computation operation istransmitted to the printer 40 over the network connection 42. Theprinter 40 checks the computation result by performing a mathematicalcomputation operation that leads to the same result. If the two resultsmatch, then authentication of the notebook 14 by the printer 40 issuccessful.

As already mentioned, in the printer 40 it is specified for each settingparameter of the printer 40 whether users with a particularauthorization level have read and/or write access to the value of thesetting parameter. The service notebook 14 is one such user. Upon thesuccessful authentication of the notebook 14, the printer 40 transmitsdata for generating a graphic user interface for controlling,configuring, and servicing the printer 40 to the notebook 14. Thetransmitted data are processed by the notebook with the aid of a browserprogram module. The graphic user interface preferably contains controlinterfaces, which are selectably displayed with the aid of menus.

The graphic user interface and the control interfaces are preferablydesigned in such a way that they are automatically adapted to theauthorization level of the notebook 14. If the notebook 14 is notauthorized for a read and/or write access of the setting value of asetting parameter based on the assigned authorization level, thissetting value is not displayed or is displayed only as inactive. If thenotebook 14 lacks authorization to execute a diagnostic function, thenthis diagnostic function is not offered, i.e. not displayed, with thecontrol interface and/or the menu items. That way, the operating of thecontrol interface at lower authorization levels is easier and moreclearly arranged.

With an authorization procedure such as the one described in connectionwith FIGS. 1 to 3, it is easy to prevent accidental or intentionalmanipulations and incorrect settings of setting parameters of theprinting system. It is possible for the service notebook 14 to accessthe printer over a direct data line on site as well as remotely over anetwork connection, e.g. over the Internet or a telephone network. Thatway, remote maintenance, remote control and remote diagnostic analysisare easy to perform.

If the user interface for operating, configuring, and diagnosticallyanalyzing the printer 40 is transmitted from the printer 40 to thenotebook 14 over the network 42 and displayed there with the aid of adisplay program module, e.g. with the aid of a browser, then all thenotebook 14 requires is software for requesting and managing the key 12,which must be stored in a storage area or the notebook 14 in addition toits standard software and processed by the notebook 14. The standardsoftware of the service notebook 14 comprises at least one operatingsystem and one browser program module.

The browser program module advantageously contains a Java Runtimeprogram environment. The processing of Java Applets is very easy withthe aid of this Java Runtime environment. With the aid of the JavaApplets comprehensive operating, diagnostic, and configuration functionsas well as a graphic user interface can be generated, which are outputvia the browser program module. It is not necessary to transmit andverify passwords. In particular, an inherent risk of such a password isthat the password may be disseminated to another technician or operator,for example in the event that the service technician or operator isreplaced for a weekend or during a vacation. Often these passwords arealso written down and could reach unauthorized parties that way also.

According to the authentication of the preferred embodiment of theservice notebook 14, the notebook contains all the data needed for itsauthentication. In the event of a substitution during a vacation orweekend, the notebook 14 is simply handed over to another technician oroperator. The substitute technician or operator does not receive anyinformation with which it is possible to access the printer 40 usinganother service notebook or another data processing system afterreturning the service notebook 14.

FIG. 4 represents an output window with a text message that is output onthe notebook 14 in the event of unsuccessful approval and in the eventof expiration of approval. With this text message the technician isinformed that the notebook 14 is not approved and he has no access toservice tools, diagnostic tools, or documentation. Using the graphicbutton 44, the operator can start the program module for approving thenotebook 14, whereby the control interface represented in FIG. 2 isoutput. But approval as described in connection with FIG. 2 is possibleonly if the operator has a valid transaction number. If graphic button46 is activated, the program module for approval is not started, and theservice and diagnostic tools requiring an authorization level are notavailable to the technician at notebook 14, nor is servicedocumentation.

Alternatively to the serial number of the processor, a so-called MACaddress of the network card contained in the service notebook 14 can beused as the hardware identifier. The MAC address is also referred to asthe Ethernet address. The MAC address is a worldwide unique identifierof a network adapter. It is used in layer 2 of the OSI model foraddressing. The MAC address is stored in a ROM memory of the networkadapter and cannot be modified by means of program modules of thenotebook 14. The MAC address is six bytes long and contains themanufacturer and the serial number of the respective network adapter inencrypted form. The MAC address is readable with known program modules.The MAC address thus serves as a unique identifier of the servicenotebook 14.

Furthermore, it is expedient to provide several user groups, each withan authorization level allocated to it. With this kind of anauthentication, customer data such as overlays, character sets, andother resources can be protected against unauthorized reading ormodification. An authorization of other internal and external operatingunits of the printer can also be performed before these units are givenaccess to the setting parameters and control functions of the printer.The unauthorized operating of the printer 40 that can occur over anetwork to which the printer 40 is linked is also prevented this way. Acryptography technique with which information is encoded and decoded ispreferably used, particularly an asymmetric or symmetric encryptiontechnique. The key 12 can also contain a legitimation code. The key 12is preferably a public key or a private key. Alternatively, a signaturecan be used instead of a key.

Despite the representation and detailed description of preferredexemplifying embodiments in the drawings and the description above,these should be understood purely as exemplary and not as limiting theinvention. It bears emphasizing that only the preferred exemplifyingembodiments are represented and described, and protection is intended toextend to all alterations and further modifications that are or will bewithin the scope of the invention.

The invention claimed is:
 1. A method for authenticating a maintenanceand diagnostics service computer for connection to a printing or copyingsystem to be serviced by performing maintenance and diagnostics,comprising the steps of: generating a transaction information by anauthentication server and delivering via a first communication line thetransaction information to a user of said maintenance and diagnosticsservice computer, said transaction information being entered by the userof the service computer into the service computer in order to executeauthentication of the service computer; generating first data by theservice computer with aid of the transaction information, said firstdata including a hardware identifier of hardware contained in theservice computer; transmitting said first data via a secondcommunication line which is distinct from the first communication linefrom the service computer to the authentication server over said secondcommunication line comprising a data line; generating key data by theauthentication server depending on the first data and transmitting thekey data from the authentication server to the service computer over thedata line, said key data defining access rights of the service computer;with the service computer generating authentication information forauthenticating the service computer with aid of the key data;transmitting the authentication information from the service computerdirectly to a system control unit of said printing or copying systemindependently of the authentication server and after receiving the keydata from the authentication server verifying authenticity of theservice computer by the system control unit; and with the system controlunit checking said access rights defined by the key data of the servicecomputer, and if access is authorized, servicing by performing saidmaintenance and diagnostics on the printing or copying system with themaintenance and diagnostics service computer.
 2. A method according toclaim 1 wherein a check is performed to determine whether the servicecomputer contains the hardware identifier.
 3. A method according toclaim 1 wherein the key data contain an expiration date in addition tosaid access rights.
 4. A method according to claim 3 wherein the accessrights are assigned with aid of an authorization level.
 5. A methodaccording to claim 1 wherein the key data are transmitted in encryptedform.
 6. A method according to claim 1 wherein the data line comprises anetwork connection.
 7. A method according to claim 1 wherein the dataline comprises a point-to-point connection.
 8. A method according toclaim 1 wherein the transaction information comprises a transactionnumber.
 9. A method according to claim 1 wherein the transactioninformation is sent per e-mail or mail to the user.
 10. A methodaccording to claim 9 wherein the transaction information that is sent tothe service computer is entered by way of an input unit of the servicecomputer.
 11. A method according to claim 1 wherein said hardwareidentifier of the service computer that cannot be modified by a user isused as said hardware identifier.
 12. A method according to claim 1wherein said authenticity verifying by the authentication server isperformed with aid of a challenge/response procedure.
 13. A methodaccording to claim 1 wherein the key data contain a signed certificate.14. A method according to claim 1 wherein the key data contains a key,and the authentication information sent to the printing or copyingsystem contains an authentication code generated with the aid of thekey.
 15. A system for authenticating a maintenance and diagnosticsservice computer for connection to a printing or a copying system to beserviced by performing maintenance and diagnostics, comprising: anauthentication server which generates a transaction information anddelivers via a first communication line the transaction information to auser of said maintenance and diagnostics service computer, saidtransaction information being entered by the user of the servicecomputer into the service computer in order to execute authentication ofthe service computer; said service computer generating first data withaid of the transaction information, said first data including a hardwareidentifier of hardware contained in the service computer; said servicecomputer transmitting via a second communication line which is distinctfrom the first communication line said first data from the servicecomputer over to the authentication server over second communicationline comprising a data line; said authentication server generating keydata depending on the first data and transferring the key data from theauthentication server to the service computer over the data line, saidkey data defining said access rights of the service computer; saidservice computer generating authentication information forauthenticating the service computer with aid of the key data; saidservice computer transmitting the authentication information from theservice computer directly to a system control unit of said printing orcopying system independently of the authentication server and afterreceiving the key data from the authentication server; said systemcontrol unit verifying authenticity of the service computer; and saidsystem control unit checking said access rights defined by the key dataof the service computer and if access is authorized, servicing byperforming said maintenance and diagnostics on the printing or copyingsystem with the maintenance and diagnostics service computer.